EP 1905211 Technique for authenticating network users

ABSTRACT – A technique for authenticating network users is disclosed. In one particular exemplary embodiment, the technique may be realized as a method for authenticating network users. The method may comprise receiving, from a client device, a request for connection to a network. The method may also comprise evaluating a security context associated with the requested connection. The method may further comprise assigning the client device one or more access privileges based at least in part on the evaluation of the security context.

FIELD OF THE DISCLOSURE

The present disclosure relates generally to network security and, more particularly, to a technique for authenticating network users.

BACKGROUND OF THE DISCLOSURE

To prevent unauthorized access, it is often necessary for a network to authenticate its users to ensure that each user is who he or she claims to be. Conventional user authentication methods typically involve a brief interaction between a user and a network, wherein the user provides to the network a security identifier such as a secret password, a token device, a digital certificate, a biometric key, or a combination thereof. The network then verifies the security identifier against records of authorized users.

Conventional user authentication methods only produce a binary result – pass or fail. That is, if a user provides a security identifier that cannot be verified by the network, the user will be denied access completely. If the user’s security identifier can be successfully verified, the user is often granted full access to the network. In some networks, each authorized user may have predetermined access privileges also known as a “role.” In this type of network, conventional user authentication methods still produce a binary result. That is, if the user is authenticated, he or she is assigned a predetermined role in the network. If the user is not authenticated, he or she will be completely locked out.

Except for a user-provided security identifier, conventional user authentication methods typically do not take into account any other factors in its decision to grant or deny access. That is, as long as a user enters a correct set of username and password, the user will be granted full access or a predetermined access privilege. In other words, conventional user authentication methods only care about who the user is, and do not pay attention to the circumstances in which the user accesses the network. Such conventional user authentication methods may make the network vulnerable to virus infections and/or malicious attacks. For example, a client device infected with virus may easily gain access to the network and put other devices at a greater risk of infection.

In addition, it is generally assumed that a network cannot trust client devices from which end-users access the network. Therefore, once a user disconnects from the network, the user’s authentication with the network expires. The next time the user attempts to access the network, the user has to be re-authenticated. Even if the user does not leave the network but simply moves from one part of the network to another, the user may also have to go through a re- authentication process. To a network user, re-authentication can be inconvenient and sometimes annoying. For example, when roaming within a network, in each new location, a user may have to close some networked applications, get re- authenticated, and then restart the networked applications. As a result, in-network mobility may be burdened even for a legitimate user of the network.

Another problem with conventional user authentication methods lies in a general requirement that a client device requesting access to a network must be compatible with the authentication scheme supported by the network. A traditional network typically supports only one particular authentication scheme, which may be based on, for example, IEEE 802. Ix standard, a Media Access Control (MAC) or Internet Protocol

(IP) database, or Remote Authentication Dial In User Service (RADIUS) protocol. Such a network can only authenticate a client device that is pre-configured to work with the network’s chosen authentication scheme. For example, a network that only supports the IEEE 802. Ix standard may not be able to authenticate a client device that employs the RADIUS protocol. Some networks go even further by requiring trusted, proprietary client software to be pre-installed in client devices. These compatibility requirements tend to block otherwise legitimate users with incompatible devices and may cause frustration or dissatisfaction in network users. In view of the foregoing, it would be desirable to provide a technique for authenticating network users which overcomes the above-described inadequacies and shortcomings.

SUMMARY OF THE DISCLOSURE

A technique for authenticating network users is disclosed. In one particular exemplary embodiment, the technique may be realized as a method for authenticating network users. The method may comprise receiving, from a client device, a request for connection to a network. The method may also comprise evaluating a security context associated with the requested connection. The method may further comprise assigning the client device one or more access privileges based at least in part on ‘ the evaluation of the security context. In accordance with other aspects of this particular exemplary embodiment, the security context may be evaluated at least in part by an agent program in the client device. The agent program may interact with the network to evaluate the security context. At least a portion of the security context may be evaluated prior to the request for connection. The agent program may comprise a JAVA applet. The agent program may be automatically downloaded to the client device upon receipt of the request for connection. In addition, the agent program may remain in the client device, after the client device disconnects from the network, in preparation for a subsequent connection to the network.

In accordance with further aspects of this particular exemplary embodiment, the security context may comprise one or more factors selected from a group consisting of: a user login mechanism employed by the client device, a threat level associated with the network, vulnerabilities of an access medium with which the client device connects to the network, and a security level associated with the client device. In accordance with additional aspects of this particular exemplary embodiment, the method may further comprise generating a security token that records the one or more access privileges assigned to the client device and storing the security token in the client device. The method may also comprise detecting the security token in the client device when the client device, after ending a first connection to the network, attempts a second connection to the network and granting the client device access to the network based on the one or more recorded access privileges if the security token is detected and verified. The first and the second may connection to the network are through different ports.

In accordance with a further aspect of this particular exemplary embodiment, the method may further comprise generating a security token that records at least a portion of tne security context and storing the security token in the client device. The method may also comprise: detecting the security token in the client device when the client device, after ending a first connection to the network, attempts a second connection to the network, and granting the client device access to the network based at least in part on the recorded security context if the security token is detected and verified. The recorded security context may be updated prior to the client device’s attempt of the second connection to the network.

In accordance with a yet further aspect of this particular exemplary embodiment, the method may comprise configuring a connection between the client device and the network based at least in part on the evaluation of the security context. The method may also comprise re-configuring the connection between the client device and the network based at least in part on a security token stored in the client device.

In another particular exemplary embodiment, the technique may be realized as at least one signal embodied in at least one carrier wave for transmitting a computer program of instructions configured to be readable by at least one processor for instructing the at least one processor to execute a computer process for performing the method as recited above.

In yet another particular exemplary embodiment, the technique may be realized as at least one processor readable carrier for storing a computer program of instructions configured to be readable by at least one processor for instructing the at least one processor to execute a computer process for performing the method as recited above.

In still another particular exemplary embodiment, the technique may be realized as a system for authenticating network users. The system may comprise a network interface that facilitates communications between a client device and a network. The system may also comprise at least one processor that receives, from a client device, a request for connection to the network, causes a security context associated with the requested connection to be evaluated, and assigns the client device one or more access privileges based at least in part on the evaluation of the security context.

In another particular exemplary embodiment, the technique may be realized as a method for authenticating network users. The method may comprise receiving, from a client device, a request for connection to a network. The method may also comprise identifying a communication protocol employed by the client device. The method may further comprise adopting an authentication scheme that is compatible with the communication protocol, if the compatible authentication scheme is available for use by the network to authenticate the client device. The method may additionally comprise downloading an agent program to the client device if the compatible authentication scheme is not available, wherein the agent program interacts with the network to authenticate the client device.

In accordance with other aspects of this particular exemplary embodiment, the compatible authentication scheme may be selected from a group consisting of: authentication schemes associated with IEEE 802. Ix standard, authentication schemes based on one or more Media Access Control (MAC) address lists, authentication schemes based on one or more Internet Protocol

(IP) address lists, and authentication schemes based on Remote

Authentication Dial In User Server (RADIUS) protocol. The present disclosure will now be described in more detail with reference to exemplary embodiments thereof as shown in the accompanying drawings. While the present disclosure is described below with reference to exemplary embodiments, it should be understood that the present disclosure is not limited thereto. Those of ordinary skill in the art having access to the teachings herein will recognize additional implementations, modifications, and embodiments, as well as other fields of use, which are within the scope of the present disclosure as described herein, and with respect to which the present disclosure may be of significant utility.

Related Posts

US 6633900 Mobile crew management system for distributing work order assignments to mobile field crew units ABSTRACT – A system for multi-crew management comprises an enterprise computing system, a mobile field unit, and wireless communication network which supports terminal control protocol/internet protocol (TCP/IP). The enterprise computing network comprises application programs through which work orders may be assigned and managed, various server machines containing data related to the work orders, a local area network (LAN) connecting the server machines, and a gateway to the TCP/IP wireless network. A mobile field unit comprises a computing device and modem for communicating over the wireless network to the enterprise computing system. A mobile field unit and each machine in the enterprise computing system has a unique IP address assigned to it. Accordingly, commands and data can be communicated freely between all machines. FIELD OF THE INVENTION This invention relates generally to management information systems and…

US 6463145 Computer-implemented call forwarding options and methods therefor in a unified messaging system ABSTRACT – A computer-implemented method for permitting a subscriber of a call forwarding service to customize call forwarding parameters associated with the call forwarding service. The call forwarding service being configured to permit the subscriber to specify whether a call received at a telephone number associated with a given account of the call forwarding service be forwarded to a forwarding telephone number. The call forwarding parameters includes a call forwarding enable option and the forwarding telephone number. The method includes providing a subscriber communication profile database. The subscriber communication profile database has therein the account pertaining to the subscriber. The account includes the call forwarding parameters for the subscriber. The method further includes visually displaying the call forwarding parameters on a display terminal coupled to a data-centric network, using a computer server coupled to exchange data with…

US 8607323 Method for providing media communication across firewalls ABSTRACT – The present invention supports a method for transmitting information packets across network firewalls. A trusted entity is provisioned with an address designation for a pinhole through the firewall during setup of a communication session between two communication devices. This pinhole address is used throughout the communication session between the two communication devices to transmit information packets onto and out of the communication network. Information packets addressed to the communication device inside the firewall are received by the trusted entity, which replaces address header information in the information packet with the address for the pinhole. The information packet is routed to the pinhole where it passes onto the network for routing to the communication device inside the firewall. Information packets transmitted from the network are also routed to the trusted entity for routing toward the communication device outside the firewall….

US 20090279562 Content-aware dynamic network resource allocation ABSTRACT – Network resources allocated for particular application traffic are aware of the characteristics of L4+ content to be transmitted. One embodiment of the invention realizes network resource allocation in terms of three intelligent modules, gateway, provisioning and classification. A gateway module exerts network control functions in response to application requests for network resources. The network control functions include traffic path setup, bandwidth allocation and so on. Characteristics of the content are also specified in the received application network resource requests. Under the request of the gateway module, a provisioning module allocates network resources such as bandwidth in optical networks and edge devices as well. An optical network resource allocation leads to a provisioning optical route. Under the request of the gateway module, a classification module differentiates applications traffic according to content specifications, and thus creates and applies content-aware rule data for edge devices…

US 8625756 Systems and methods for visual presentation and selection of IVR menu ABSTRACT – Embodiments of the invention provide a system for providing advertisements to a caller. The system comprises a database having advertisements associated with a list of telephone numbers. The telephone numbers are associated with destinations implementing Interactive Voice Response (IVR). Further, the system comprises a device configured to display a visual menu for the IVR and the associated advertisements. FIELD OF THE INVENTION The invention relates to Interactive Voice Response (IVR) system and more specifically the invention relates to visual selection of IVR option from a caller device. BACKGROUND OF THE INVENTION Interactive Voice Response (IVR) technology is generally used to detect voice and key inputs from a caller. Various organizations such as banks, insurance companies, and other service providers use IVR technology to manage calls from their customers. Typically, IVR systems are used by organizations that…

US 6014694 System for adaptive video/audio transport over a network ABSTRACT – A system for adaptively transporting video over networks wherein the available bandwidth varies with time. The system comprises a video/audio codec that functions to compress, code, decode and decompress video streams that are transmitted over networks having available bandwidths that vary with time and location. Depending on the channel bandwidth, the system adjusts the compression ratio to accommodate a plurality of bandwidths ranging from 20 Kbps for POTS to several Mbps for switched LAN and ATM environments. Bandwidth adjustability is provided by offering a trade off between video resolution, frame rate and individual frame quality. The system generates a video data stream comprised of Key, P and B frames from a raw source of video. Each frame type is further comprised of multiple levels of data representing varying degrees of quality. In addition, several video server platforms can be…

US 7260621 Object-oriented network management interface ABSTRACT – A system and method is provided for using an object-oriented interface for network management. An example system and method receives a management information base (MIB) including information related to one or more aspects of a network device, extracts a subset of information from the MIB describing at least one aspect of the network device, and generates a set of object-oriented classes and object-oriented methods corresponding to the subset of information in the MIB. In addition, this system and method interfaces with network management information on a network device, by providing a management information base (MIB) including information related to one or more aspects of a network device, and using a set of object-oriented classes and object-oriented methods that corresponds to the MIB and information related to one or more aspects of the network device. TECHNICAL FIELD This invention generally relates to using…

US 5638516 Parallel processor that routes messages around blocked or faulty nodes by selecting an output port to a subsequent node from a port vector and transmitting a route ready signal back to a previous node ABSTRACT – A parallel processor network comprised of a plurality of nodes, each node including a processor containing a number of I/O ports, and a local memory. A communication path is established through a node by comparing a target node address in a first address packet with a processor ID of the node. If node address is equal to the target node address a receive channel is allocated to the input port and a route ready command is sent over an output port paired with the input port. If the node address is not equal to the target node address, then a first unallocated output port is selected from a port vector and the…

US 20100146112 Efficient communication techniques ABSTRACT – Embodiments of techniques that may be used to improve communication efficiency in a network are provided. One or more versions of one or more communication protocols in the network may be monitored. A document object model of data may be processed at a device to generate raw data. Subsequently, the raw data may be transmitted by the device on the network based on the versions of the communication protocols. FIELD OF THE INVENTION Various embodiments of the invention may relate to communication in a network and more specifically to improving the efficiency of communication in a network. BACKGROUND OF THE INVENTION Various users across the globe communicate or perform various activities on computer and device networks. Moreover, the users interact with each other through the networks, such as the Internet. Typically, the users use devices like personal computers to interact over the Internet. The…

US 7047536 Method and apparatus for classifying remote procedure call transport traffic ABSTRACT – A data communication network for DiffServ communications has a software library added to clients connected to a data communication network having a DiffServ-enabled edge router. When an application running on a client system wishes to make a remote procedure call to a remote server system on another network, it makes its usual call for RPC invocation using the software library. This RPC call is intercepted by a protocol layer interposed between the application layer and the underlying RPC transport code. The protocol layer detects when an RPC call is being made and can determine the identity of the calling procedure as well. The library makes a side channel communication to the edge router to provide this information to the edge router or alternative service decider, which then makes use of this data when performing DiffServ classification for…

US 9203956 Media delivery platform ABSTRACT – A method of delivering an audio and/or visual media file including, for example, one or more of full or partial master recordings of songs, musical compositions, ringtones, videos, films, television shows, personal recordings, animation and combinations thereof, over the air wirelessly, from one or more servers to an electronic device with or without an Internet connection, said method comprising transmitting and audio and/or visual media file in compressed format to said electronic device, and wherein the electronic device is effective to receive said audio and/or visual file and playback said audio and/or visual content on demand by a user. TECHNICAL FIELD This invention relates to a method of delivery and play back of sound and image files for wireless and non-wireless electronic devices. BACKGROUND The general concept for delivery of sound recordings or clips and visual recordings or clips by way of the Internet…

US 8949846 Time-value curves to provide dynamic QoS for time sensitive file transfers ABSTRACT – A method and apparatus has been shown and described which allows Quality of Service to be controlled at a temporal granularity. Time-value curves, generated for each task, ensure that mission resources are utilized in a manner which optimizes mission performance. It should be noted, however, that although the present invention has shown and described the use of time-value curves as applied to mission workflow tasks, the present invention is not limited to this application; rather, it can be readily appreciated by one of skill in the art that time-value curves may be used to optimize the delivery of any resource to any consumer by taking into account the dynamic environment of the consumer and resource. FIELD OF THE INVENTION This invention relates generally to resource management and more particularly to a method and apparatus for generating…

US 7024214 Synchronizing over a number of synchronization mechanisms using flexible rules ABSTRACT – Two computer systems in a network each have a local store that contains a copy of a data item that is to be synchronized. One of the computer systems may be, for example, a mobile device while the other may be a synchronization server. In order to determine whether to synchronize a data item, and what synchronization mechanism to use, one of the computer systems references a flexible set of rules that may be influenced by instructions from a network administrator or a mobile device user. The flexible set of rules takes into consideration the value of the data, the cost associated with synchronization, the security of the synchronization mechanisms, the security of the mobile device, as well as the location of the mobile user in dictating whether and how to synchronize. FIELD OF THE INVENTION The…

US 6975220 Internet based security, fire and emergency identification and communication system ABSTRACT – The present invention provides a system for detecting an event within a premises and providing data such as live or recorded video and audio regarding that event to a web site. The event may be an unauthorized entry to the premises, a fire, or a maintenance malfunction within the premises. The web site may be accessed by a variety of authorized users including the owner or manager of the premises, a central monitor, local police, fire, or emergency medical personnel, or other entities specified by the owner or manager of the premises. The system permits authorized users to view the event in real time or as recorded on the web site after the event has occurred to determine the type of event and an appropriate course of action to rectify it. BACKGROUND INFORMATION Systems for detecting and…

US 6850989 Method and apparatus for automatically configuring a network switch ABSTRACT – A method and apparatus for automatically configuring a network switch having external network data ports, a processor, and memory. Network data is monitored on the external network data port. Information about the network data traffic is compared to one or more threshold conditions. The network switch is automatically configured if the network data meets one of the threshold conditions. The monitor and configuration functions can be performed by software running on the processor which has been downloaded from an external network maintenance station through a maintenance data port. Information about the network data traffic can be uploaded to the external network maintenance station through a maintenance data port. FIELD OF THE INVENTION This invention relates generally to data communications networks, and more particularly, to a method and apparatus for automatically configuring a network switch. BACKGROUND OF THE INVENTION…

15 May 1998

Search

Contact

Network Communications Expert

A scientist, a technologist and an educator with over 30 years of experience; co-authored over 25 scientific publications, journal articles, and peer-reviewed papers; named inventor of over 120 issued and filed patents. Expert in telecommunications, network communications, Internet protocols, and mobile wireless.